Compromised website

From Arch Hosting Wiki
Jump to: navigation, search

Please note that this guide was written with Wordpress websites in mind, but you will still find that most of this information can apply to any other type of website.  

Signs of a compromised account

Some signs of a compromised account are:

  • Unauthorized activity on your account, noticing anything you don't recall doing yourself
  • Unusually high bandwidth usage, or unusually high CPU usage
  • E-mail spam originating from your account
  • Cryptocurrency miners running on your account
  • Unusual website redirects

How the account was compromised

If your website was compromised, the most common reasons why are usually any of the following:

Vulnerable Plugins (we've seen this as the #1 cause of hacked webites)

  • If you install a Wordpress (or any other CMS like Drupal or Joomla) plugin, there's a chance that it could be vulnerable. A vulnerable plugin is usually the result of poor code by the plugin's developer. An outdated plugin could also be a possible attack vector. 
  • Hackers will frequently crawl websites with automated scripts that will check to see if your website is using vulnerable plugins, and if so then begin using that vulnerable plugin to access and compromise your account. 

Insecure Passwords

  • An insecure password was in use. This could be your cPanel password, your FTP password, your MySQL database password, your Wordpress or admin area login password, or any other password that could allow somebody to access administrative sections of your website.
  • It's worth noting that the cPanel password was probably not the insecure password, unless you've manually reset it to something else that is insecure. By default, cPanel passwords are randomly generated into a more secure complexity and length. Combined with our firewall that monitors cPanel logins, it's unlikely that the attack vector was through this. Again, however, if you've manually reset your cPanel password to something else that is insecure then this could be a possible attack vector.

Domain Hijacks

  • If your domain is with a 3rd party registrar, you should check that you still have the domain in your account and that your domain registrar's account wasn't compromised. If a hacker has access to your domain, they can modify the DNS records to direct traffic to malicious servers. You should double check that your DNS entries or nameservers are still properly pointed to Arch Hosting.

Fixing a compromised account

There are several courses of action you can take to help resolve a compromised/hacked account.

It's important to note that even if you fix the vulnerability or the attack vector that the hacker used to gain access to your account, that won't necessarily remove the malware that's already present on your website. It's important to to do two things: fix the vulnerability, AND remove any existing malware. A good step is to change all of the passwords on your account, just in case those were used as an attack vector. You should also note that if you have multiple domains/websites on your account, if one website is compromised you should consider all domains on the account to be compromised. Especially with Wordpress websites, where it's very common for malware authors to make their malicious scripts replicate to all Wordpress websites it can access.

Expert Removal or Account Wiping

  • Arch Hosting's support team can clean up hacked websites. This is charged under our Advanced Support program. 
  • Contact a developer or website recovery service that can assist you in inspecting your website files to clean up your malware. 
  • Contact us to fully wipe your account, which will 100% ensure that the malware has been removed. From there, you can rebuild your website (if plausible) or restore from a backup that is confirmed as safe. This is the only way to be 100% sure that your account is clean.

Malware Detection Process

  • The first step should be to run the Virus Scanner in your cPanel. This is a simple virus scanner that can help detect some known samples of malware, but it is not conclusive and should not be the only tool used. It's a good place to start, however.
  • If you think your website was hacked due to having a vulnerable plugin (again, we've seen this as the #1 cause of hacked websites) then you should take a list of all the plugins you have on your account. You should then use Google and search the plugin name, and then add the word "vulnerability" or "hack" at the end. This will help you identify if any plugins you are using have any known vulnerabilities. For example, if you have a plugin called "Slider Revolution" you should then perform a Google search for "Slider Revolution vulnerability", or "Slider Revolution wordpress vulnerability". Perform this step for all plugins on your account. 
  • Identify suspicious scripts. You should search your website's files, with FTP or your cPanel File Manager, and look for any scripts that don't belong. Hackers will usually take steps to hide their scripts, so it's not usually reasonable to do this manually if you have a large website. There are tools you can use to help you with this - for Wordpress websites we highly recommend using the free plugin Wordfence. Wordfence is a Wordpress plugin that will automatically scan and notify you of any files that don't belong on your website, which you can then take action to remove. This is a great tool to help fix compromised Wordpress websites.
  • Visit the "CPU and Concurrent Connection Usage" page in your cPanel, and then click the "Snapshots" button. Navigate through the different days in the calendar, and use the next/previous button, to check if there have been any snapshots on your account. Snapshots are logs of high resource processes on your account. They may not always be there, but if they are they can be helpful to identify a malicious script. For example, in the picture below we can identify that a script used 100% of our CPU in one snapshot - which could be helpful when looking for a cryptominer malware:



Preventing a website from becoming compromised again

  • Only install plugins from trusted sources
  • Always use the most up-to-date software, and check for updates frequently
  • Use secure, complex passwords for all parts of your website
  • Delete unused plugins, pages, or files 
  • Use Cloudflare
  • Use a security plugin and review it daily. For Wordpress websites, use Wordfence
  • If you give out credentials to your developer or a support team, change your credentials once they've completed their work
  • Use valid, licensed software